New VPNFilter malware targets routers and NAS boxes worldwide

A virulent new strain of malware has infected more than half a million consumer and small-business networking devices, it has been revealed.

Dubbed 'VPNFilter', according to researcher’s at Cisco Systems' security division, Talos, the infection targets numerous routers and network-attached storage (NAS) devices from major manufacturers such as Netgear, QNAP, TP-Link and Linksys.

The malware is able to spy on network traffic and potentially steal website usernames and passwords, and can also be used to ‘brick' infected devices, rendering them inoperable.

Although the exact creator of the malware is as yet unknown – and if other recent attacks are an indication, it will likely remain so – after working with law enforcement as well as private- and public-sector partners, Cisco has stated that the "sophisticated modular malware system” appears to be the work of a state-sponsored or state-affiliated actor.

Related: New internet of things security code aims to stamp out Mirai and other threats

Target local, spread global

The malware’s creators appear to be focused on infecting devices located within Ukraine, although the virus has been discovered hiding on equipment located in 54 countries across the globe.

Certain parts of the code used in VPNFilter match that found in an earlier malware strain called BlackEnergy, which also heavily targeted Ukrainian devices and was used in several large scale attacks.

The malware is designed in such a way that it can have additional capabilities added after the initial device infection and, unlike many other viruses targeting Internet of Things gear, it could initially persist after a device had been rebooted – although, according to The Daily Beast, the FBI has reportedly managed to seize a server being used by the botnet, which has subsequently disabled VPNFilter's ability to reactivate itself after a reboot.

Cisco recommends that infected users reset their devices to factory defaults and then reboot them, which should remove the "potentially destructive, non-persistent stage 2 and stage 3 malware".

The networking company has also released the model numbers of devices known to be at risk of infection, but warns that the current list is likely incomplete, and that other devices are almost certain to be added:

Linksys E1200
Linksys E2500
Linksys WRVS4400N
Netgear DGN2200
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
QNAP TS251
QNAP TS439 Pro
TP-Link R600VPN

Router on the infected list? Maybe it's time for an upgrade. Here are our recommendations for the best routers of 2018.

Dan is a veteran Australian tech journalist with more than 20 years industry experience. He cut his teeth in the world of print media, starting as a product reviewer and tester and eventually working his way up to become editor of the two top-selling tech mags Down Under (TechLife and APC) and has been managing TechRadar's APAC presence since 2016. He's passionate about most things tech, but is particularly opinionated when it comes to PC hardware, phones, ereaders, video games and online streaming. When he's not staring at screens, Dan loves to spend time cooking – particularly spicy Thai food. (If it's not hot enough to bring tears to your eyes, he's not interested.)